please remove the active_support gem

Matt Aimonetti

The gem isn't maintained so it points to an ancient version of
activesupport 3.0.0

The gem could contain evil code and users could run this code
without realizing it

The gem has almost 120k downloads

For security reason and for better user experience I would
recommend to remove this gem. I would also suggest to setup some
sort of redirect or message when users try to install the gem with
the typo in it (I do realize it probably would mean opening a can
of worms, but AS is one of Ruby's most popular gems so maybe it can
be treated as an exception).

We have not yanked a gem for these reasons before so I don't
want to discuss this properly.

Modern RubyGems suggests other names when you typo so we don't
need to worry about redirects for gem install.

Since we now have typo suggestions in RubyGems I think the
reasons for releasing this gem are no longer valid.

I'm concerned that active_support is confusingly similar to
activesupport. It infringes on the real gem's namespace.

I'm concerned that the gem is unmaintained. I don't think a
maintained version is particularly better, especially when the real
gem is very popular (near 20 million downloads, near 800k for its
current version) and a security release in activesupport could
cause users to be out of date, even if only by a few critical
hours.

since my reply over the webgui did not reach: the reason for me to add
that "redirect" gem was that
https://rubygems.org/gems/rails_config/versions/0.1.0 depends on it.
for maven to install rails_config without explicit version works only
if the dependencies can be resolved.

My guess is that in most cases, the authors would agree to
remove the gem since we now have typo suggestions. However, should
we black list some gem names so potential attackers wouldn't use
common typos to potentially make users' machines vulnerable?

We're working on a set of policies that hopefully will deal with
"typo" gems that sound like or are close to the real gem names.
More on that soon at the rubygems mailing lists/blog. Marking this
one as closed for now.